-
-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
don't be too verbose on hashes explanation
Signed-off-by: nscuro <[email protected]>
- Loading branch information
Showing
1 changed file
with
0 additions
and
56 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -242,62 +242,6 @@ explaining what exactly that entails. In essence, the hash you see in a BOM shou | |
just in a different format. This is because the CycloneDX specification enforces hashes to be provided in hex encoding, | ||
while Go uses base64 encoded values. | ||
|
||
To verify a hash found in a BOM, do the following: | ||
|
||
1. Hex decode the value | ||
2. Base64 encode the value | ||
3. Prefix the value with `h1:` | ||
4. Compare with the expected module checksum | ||
|
||
#### Example | ||
|
||
Given the following `component` element in a BOM: | ||
|
||
```xml | ||
<component bom-ref="pkg:golang/github.com/google/[email protected]" type="library"> | ||
<name>github.com/google/uuid</name> | ||
<version>v1.2.0</version> | ||
<scope>required</scope> | ||
<hashes> | ||
<hash alg="SHA-256"> | ||
a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b | ||
</hash> | ||
</hashes> | ||
<licenses> | ||
<license> | ||
<id>BSD-3-Clause</id> | ||
<url>https://spdx.org/licenses/BSD-3-Clause.html</url> | ||
</license> | ||
</licenses> | ||
<purl>pkg:golang/github.com/google/[email protected]</purl> | ||
<externalReferences> | ||
<reference type="vcs"> | ||
<url>https:/google/uuid</url> | ||
</reference> | ||
</externalReferences> | ||
</component> | ||
``` | ||
|
||
We take the hash, hex decode it, base64 encode the resulting bytes and prefix that with `h1:` (demonstrated [here](https://gchq.github.io/CyberChef/#recipe=From_Hex('Auto')To_Base64('A-Za-z0-9%2B/%3D')Pad_lines('Start',3,'h1:')&input=YTg5NjJkNWU3MjUxNWE2YTVlZWU2ZmY3NWU1Y2ExYWVjMmViMTE0NDZhMWQxMzM2OTMxY2U4YzU3YWIyNTAzYg) in a CyberChef recipe). | ||
|
||
In this case, we end up with `h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=`. | ||
In order to verify that this matches what we expect, we can query Go's [checksum database](https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md#checksum-database) for the component we're inspecting: | ||
|
||
``` | ||
$ curl https://sum.golang.org/lookup/github.com/google/[email protected] | ||
2580307 | ||
github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs= | ||
github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= | ||
|
||
go.sum database tree | ||
3935567 | ||
SapHtgdNCeF00Cx8kqztePV24kgzNg++Xovae42HAMw= | ||
|
||
— sum.golang.org Az3grsm7Wm4CVNR1RHq9BFnu9jzcRlU2uw7lr0gfUWgO6+rqPNjT+fUTl9gH0NRTgdwW9nItuQSMbhSaLCsk8YeYSAs= | ||
``` | ||
Line 2 of the response tells us that the checksum in our BOM matches that known to the checksum database. | ||
### Version Detection | ||
|
||
For the main module and local [replacement modules](https://golang.org/ref/mod#go-mod-file-replace), *cyclonedx-gomod* will perform version detection using Git: | ||
|